mw's log

Started by mw, August 28, 2006, 04:33:45 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

mw

Hey Everyone. I seem to be attached by spyquake2.com Everything I have read on line gives me more programs that you need to pay for. I just want to clean my computer. I have disabled my wireless card so it cannot connect to the internet. I am using another computer. This is my hijackthis log. I would grateful if anyone can help.

Best,
MWLogfile of HijackThis v1.99.1
Scan saved at 12:30:20 AM, on 8/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SpyQuake2.com\Spy-Quake2.exe
C:\Program Files\Common Files\{90F666CB-031D-1033-0829-000512000001}\Update.exe
C:\Program Files\SpyQuake2.com\Spy-Quake2.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Matthew\Desktop\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139008013434
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

Corrine

I suggest you copy the instructions to your desktop or print them as you will no have access to the internet while conducting the cleanup.

A. Please download the following files:

  • Download SmitfraudFix (© S!Ri) to your Desktop from http://siri.urz.free.fr/Fix/SmitfraudFix.zip .  Extract all the files to your Desktop and a folder named SmitfraudFix will be created on your Desktop.

  • Download ewido anti-spyware from HERE.  Save the file to your desktop so  you can locate it.

    • Locate the ewido anti-spyware icon on the desktop.
    • Double-click the large yellow "e" ewido icon to launch the set up program. 
    • The installation will require a restart of the computer.
    • Launch ewido to update to the latest definition files.
    • On the main screen select the "Update" icon
    • Click "Start Update".  The update will start and a progress bar will show the updates being installed.
    • If you have problems with the updater, you can use this link to manually update ewido --   ewido manual updates
    • Adjust ewido as follows:

      • Select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
      • In the Settings screen click "Recommended actions" and then select "Quarantine".
      • Under "Reports"

        • Select "Automatically generate report after every scan"
        • DE-Select "Only if threats were found"
        • close ewido
      B.  Restart your computer in Safe Mode.

      • If the computer is running, shut down Windows, and then turn off the power.
      • Wait 30 seconds, and then turn the computer on.
      • Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
      • Ensure that the Safe Mode option is selected.
      • Press Enter. The computer then begins to start in Safe Mode.
      • Login on your usual account.
      If you need further assistance with Safe Mode, see Symantec

      C.  Scanning and system cleaning with ewido. 

      • Lauch ewido-anti-spyware by double-clicking the icon on the desktop. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
      • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
      • ewido will now begin the scanning process.  Be patient as this may take a little time.
      • While scanning, ewido will list any infections found on the left side.
      • When the scan is completed, the recommended action should be set to Quarantine.  If not click Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right side.
      • Click on "Save Report", then "Save Report As".  This will create a text file.  Make sure you know where to find this file again (like on the Desktop).
      • Close ewido.
      D.  Open the SmitfraudFix folder

      • Double-click smitfraudfix.cmd file to start the tool.
      • Select option #2 - Clean by typing 2 and press Enter.
        Warning : running option #2 on a uninfected computer will remove your Desktop background.
      • Wait for the tool to complete and disk cleanup to finish.
      • You will be prompted : "Registry cleaning - Do you want to clean the registry?"

        • Answer Yes by typing Y
        • Hit Enter.

      • The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.

        • Answer Yes to the question "Replace infected file?" by typing Y
        • Hit Enter.
      • A reboot may be needed to finish the cleaning process.  If your computer does not restart automatically please do it yourself manually.
      • Restart in Safe Mode as instructed above.
      • The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
      E. Scan with HijackThis, check the following and select "Fix Checked:

      O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
      O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
      O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll


      F. While in Safe Mode, search for and remove the following if found:

      C:\WINDOWS\system32\devldr32.exe
      C:\Program Files\Common Files\{90F666CB-031D-1033-0829-000512000001}\Update.exe
      C:\Program Files\SpyQuake2.com <--- Folder
      C:\Program Files\ToolBar888 <--- Folder
      C:\Program Files\Safety Bar <--- Folder

      G. Restart in Normal Mode and double-click the HijackThis icon on your desktop.  Choose "Do a system scan and save logfile". 

      H.  Post a reply with the following logs and let us know how your PC is doing:

      • C:\rapport.txt
      • ewido log
      • HijackThis log


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.